Overview
Syllabus
Intro
Why VMWare Patch Analysis?
VMWare Workstation Attack Surfaces
VM-Tools & VMWare RPC
Guest RPC Mechanism
VM Backdoor
RPC Packet Handling in Host
Sending Custom RPC Packets From Guest to Host
RPC Bug 1: OOB in Drag and Drop
Achieving OOB Read
Achieving OOB Write
Info. Leak Using OOB Write Over RPC
Bug 3: Use After Free
VMware Virtual Printer
Triggering the Print Preview
Double Free in EMR_SMALLTEXTOUTW (CVE-2016-7082)
Patch for CVE-2016-7082
Embedded EMFSPOOL (CVE-2016-7083)
Out of Bounds Write Vulnerability in JPEG2000 Decompression (CVE-2016-7084)
Patch for CVE-2016-7084
More Fuzzing
VMware SVGA II Device Architecture
SVGA FIFO Commands
History of Security Bugs in FIFO Commands: Cloudburst by Kostya Kortchinsky
What Are Shaders?
Life of a Shader
Shader inside VMware Workstation
Passing Shader bytecode from guest to host via 'SVGA3D' Protocol
Shader Bytecode handling in Host
Vulnerabilities in Virtual GPU
SVGA Patch 1(Workstation 12.5.4 - 12.5.5)
Heap OOB Write
Demo: SVGA Memory Corruption
Other SVGA Issues fixed in 12.5.5
Possible Security Issue fixed in SM1 'op_calli instruction parser in version 12.5.3?
Black Hat Sound Bytes
Other Works and Recommended Reads
Questions?
Taught by
Black Hat